To: 
Of: 


İCO. 


Information Commissioner's Office 


DATA PROTECTION ACT 2018 
(PART 6, SECTION 149) 


SUPERVISORY POWERS OF THE INFORMATION COMMISSIONER 
ENFORCEMENT NOTICE 


DATED: 14 February 2022 


Smith, Law & Shepherds IFA Ltd 
209 Liverpool Road, Birkdale, Southport, Merseyside, PR8 4PH 


Smith, Law & Shepherds IFA Ltd (Companies House number 06866394) is a 
“controller” as variously defined in sections 3(6) and 6 of the Data Protection 
Act 2018 (“the DPA”) and Articles 4(7) of the General Data Protection 
Regulation (“GDPR”).! The controller offers independent advice from a range 
of providers for Investments, Pensions, Protection and Mortgages. It processes 


personal data in the course of carrying out its functions. 


The Information Commissioner (“the Commissioner”) has decided to issue 
Smith, Law & Shepherds IFA Ltd with an Enforcement Notice under section 
149 DPA. The Notice is in relation to contraventions of Article 15 of the EU and 
UK GDPRs. This Notice is accordingly issued under section 149(2)(b) DPA. 


This Notice explains the Commissioner's decision. 


1 The subject access requests in issue for the purposes of this Enforcement Notice were made on 14 
April 2020 and 17 April 2020. From these dates until 31 December 2020, the EU GDPR applied in the 
United Kingdom. 
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Legislative Framework 


4. The DPA contains enforcement provisions in Part 6 which are exercisable by 


the Commissioner. 
5. Section 149 DPA materially provides: 


"(1) Where the Commissioner is satisfied that a person has failed, or is 
failing, as described in subsection (2), (3), (4) or (5), the Commissioner 
may give the person a written notice (an “enforcement notice”) which 
requires the person— 

(a) to take steps specified in the notice, or 

(b) to refrain from taking steps specified in the notice, or both (and 


see also sections 150 and 151). 


(2) The first type of failure is where a controller or processor has failed, 
or is failing, to comply with any of the following— 
(b) a provision of Articles 12 to 22 of the UK GDPR or Part 3 or 4 


of this Act conferring rights on a data subject; 


(6) An enforcement notice given in reliance on subsection (2), (3) or (5) 
may only impose requirements which the Commissioner considers 


appropriate for the purpose of remedying the failure.” 


6. Section 150 DPA materially provides: 


"(1) An enforcement notice must— 
(a) state what the person has failed or is failing to do, and 


(b) give the Commissioner’s reasons for reaching that opinion. 
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(2) In deciding whether to give an enforcement notice in reliance on 


section 149(2), the Commissioner must consider whether the failure has 


caused or is likely to cause any person damage or distress. 


(4) An enforcement notice may specify the time or times at which, or 
period or periods within which, a requirement imposed by the notice 


must be complied with (but see the restrictions in subsections (6) to 


(8)).” 


Chapter 3 of the GDPR makes provision for the rights afforded to data subjects. 
These include the rights of subject access, rectification, erasure and restriction 


of processing. 


Specifically Chapter 3, Article 15 of the GDPR materially provides, insofar as 


relevant: 


"(1) the data subject shall have the right to obtain from the controller 
confirmation as to whether or not personal data concerning him or her 
are being processed, and, where that is the case, access to the personal 
data and the following information: 

(a) the purposes of the processing; 

(b) the categories of personal data concerned; 

(c) the recipients or categories of recipient to whom the 
personal data have been or will be disclosed, in particular 
recipients in third countries or international organisations; 

(d) where possible, the envisaged period for which the personal 
data will be stored, or, if not possible, the criteria used to 


determine that period; 
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(e) the existence of the right to request from the controller 
rectification or erasure of personal data or restriction of 
processing of personal data concerning the data subject or 
to object to such processing; 

(f) the right to lodge a complaint with the Commissioner; 

(g) where the personal data are not collected from the data 
subject, any available information as to their source; 

(h) the existence of automated decision-making, including 
profiling, referred to in Article 22(1) and (4) and, at least in 
those cases, meaningful information about the logic 
involved, as well as the significance and the envisaged 


consequences of such processing for the data subject. 


(3) the controller shall provide a copy of the personal data undergoing 
processing. For any further copies requested by the data subject, the 
controller may charge a reasonable fee based on administrative costs. 
Where the data subject makes the request by electronic means, and 
unless otherwise requested by the data subject, the information shall be 


provided in a commonly used electronic form. ...” 


Background to the cases concerned 
Case 1 


9. —— a! (“Data Subject 1”) submitted a subject access request to 
Smith, Law & Shepherd IFA Ltd on 14 April 2020 in the following terms: 


“Data Protection Act 2018 Subject Access Request 
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I am writing to make a subject access request under the Data Protection Act 


2018 in order to obtain a copy of all documents, of any kind, which relate to 


me and my pension. 


This must include, but not be limited to:- 


All personal information and records relating to me. 

All information relating to payments made by me and details of how such 
payments were distributed. 

All information relating to the level of commission received and any other 
companies associated with my pension transfer. 

All correspondence with any person or organisation, whether by email, 
fax, letter or other medium. This should include any correspondence sent 
to me or received from me or which mentions me or my investments or 
anything connected therewith. 

All forms and other documents to include, but not be limited to, anything 
which required my signature. 

Fact finds, suitability reports, commentaries and advice in any other 
form. 

All information, brochures, memoranda and illustrations given to me. 
Attendance notes of meetings and telephone calls, either with me or 
which relate to me or my investments in any way. 


Recordings of telephone calls. 


If you do not normally deal with these requests, please pass this letter to your 


Data Protection Officer, or relevant staff member. 


If you need any more data from me please let me know as soon as possible. 


It may be helpful for you to know that data protection law requires you to 


respond to a request for data within one calendar month.” 


10. 


11. 


12. 


13. 


14. 
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Data Subject 1 sent further emails to Smith, Law & Shepherd IFA Ltd on 7 July 


2020 and 28 September 2020, chasing a response and reminding Smith, Law 
& Shepherd IFA Ltd of its obligations under data protection law. 


Data Subject 1 didn’t receive a response and subsequently complained to the 
Commissioner on 24 November 2020. Following receipt of this complaint, a 
case officer wrote to Smith, Law & Shepherd IFA Ltd on 15 April 2021, 
reminding it of its obligations under data protection legislation and requiring it 


to take appropriate steps to respond to the subject access request. 


On 9 June 2021, Data Subject 1 contacted the Commissioner to complain that 
he had still not received a response and so on 24 June 2021, the case officer 
sent an email to the CEO of Smith, Law & Shepherd IFA Ltd asking him to 


ensure that Data Subject 1 received his information within 7 days. 


This did not happen and on 24 August 2021 Data Subject 1 contacted the 
Commissioner again because he had still not had a response. Following this 
contact the case officer telephoned Smith, Law & Shepherd IFA Ltd to find out 
what was going on. The case officer was advised that someone would return 
his call but they did not. 


On 8 October 2021, Data Subject 1 had still not received a response and so 
the case officer telephoned Smith, Law & Shepherd IFA Ltd again on 19 
October 2021. Smith, Law & Shepherd IFA Ltd was of the view that the request 
had been satisfied when it sent information to the Financial Ombudsman’s 
Service. The case officer advised that was not the case and that a response 
had to be provided to Data Subject 1 as well. The case officer ended the call 


believing that a response would be sent imminently. 
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15. Following further exchanges with the case officer Data Subject 1 confirmed on 


4 November 2021 that he had still not received his information. 


16. The case was escalated to a team manager who wrote to Smith, Law & 


Shepherd IFA Ltd on 8 November 2021 about this case and another case that 
is detailed below. She instructed Smith, Law & Shepherd IFA Ltd to provide a 


response to data subject 1 within 7 days and she made it clear that providing 


information to the Financial Ombudsman’s Service was not sufficient to satisfy 


the request. 


17. We subsequently got in touch with Data Subject 1 to see if he had received a 


response. He confirmed that he had not on 9 December 2021. 


Case 2 


18. eO (“Data Subject 2”) submitted a subject access request to 
Smith, Law & Shepherd IFA Ltd on 17 April 2020 in the following terms: 


“Data Protection Act 2018 Subject Access Request 


I am writing to make a subject access request under the Data Protection Act 


2018 in order to obtain a copy of all documents, of any kind, which relate to 


me and my pension. 


This must include, but not be limited to:- 


All personal information and records relating to me. 

All information relating to payments made by me and details of how such 
payments were distributed. 

All information relating to the level of commission received and any other 
companies associated with my pension transfer. 

All correspondence with any person or organisation, whether by email, 


fax, letter or other medium. This should include any correspondence sent 


19. 


20. 


21. 
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to me or received from me or which mentions me or my investments or 
anything connected therewith. 
e All forms and other documents to include, but not be limited to, anything 
which required my signature. 
e Fact finds, suitability reports, commentaries and advice in any other 
form. 
e All information, brochures, memoranda and illustrations given to me. 
e Attendance notes of meetings and telephone calls, either with me or 
which relate to me or my investments in any way. 


e Recordings of telephone calls. 


If you do not normally deal with these requests, please pass this letter to your 


Data Protection Officer, or relevant staff member. 


If you need any more data from me please let me know as soon as possible. 
It may be helpful for you to know that data protection law requires you to 


respond to a request for data within one calendar month.” 


Data Subject 2 sent further emails to Smith, Law & Shepherd on 3 July 2020 
and 3 June 2021 chasing a response and reminding Smith, Law & Shepherd 


of its obligations under data protection law. 


Data Subject 2 complained to the Commissioner on 30 November 2020. 
Following receipt of this complaint, a case officer wrote to Smith, Law & 
Shepherd IFA Ltd on 29 June 2021, reminding it of its obligations under data 
protection legislation and requiring it to take appropriate steps to revisit the 


request. 


On 27 August 2021, Data Subject 2 contacted the Commissioner to complain 


that he had still not received a response and so on 9 September 2021, the 
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case officer telephoned Smith, Law & Shepherd IFA Ltd and was advised that 


someone would return his call but they did not. 


Following further exchanges with the case officer, Data Subject 2 confirmed 


on 12 November 2021 that he had still not received his information. 


In the meantime the case was escalated to a team manager who wrote to 
Smith, Law & Shepherd IFA Ltd on 8 November 2021 about this case and case 
1. She instructed Smith, Law & Shepherd IFA Ltd to provide a response to Data 
Subject 2 within 7 days and she made it clear that providing information to the 


Financial Ombudsman Service was not sufficient to satisfy the request. 


We subsequently got in touch with Data Subject 2 to see if he had received a 


response. He confirmed that he had not on 9 December 2021. 


The contravention 


25. 


In light of the above, the Commissioner is of the view that Smith, Law & 
Shepherd IFA Ltd has contravened Chapter 3, Article 15 of the GDPR, in that 
it has failed to inform data subject 1 and data subject 2, without undue delay, 
whether their personal data is being processed by or on behalf of the controller 
and, where that is the case, has failed without undue delay to provide access, 
in an intelligible form, to such personal data, and to the information as set out 
at Article 15(1). 


Issue of the Notice 


26. 


The Commissioner has considered, as he is required to do under section 150(2) 
DPA when considering whether to serve an Enforcement Notice, whether any 


contravention has caused or is likely to cause any person damage or distress. 


27. 
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The Commissioner has decided that it is unlikely that damage or distress has 


been caused in this instance. 


Having regard to the significant level of the contravention, in particular the 
length of time since Smith, Law & Shepherd IFA Ltd received the subject access 
requests in question on 14 and 17 April 2020 respectively, the Commissioner 
considers that an Enforcement Notice would be a necessary and proportionate 


regulatory step to bring Smith, Law & Shepherd IFA Ltd into compliance. 


In view of the above, the Commissioner has decided to exercise his powers 
under section 149(2)(b) DPA to require the controller to take the steps 


specified in Annex 1 of this Notice. 


Consequences of failing to comply with an Enforcement Notice 


29. 


If a person fails to comply with an Enforcement Notice the Commissioner may 
serve a penalty notice on that person under section 155(1)(b) DPA requiring 
payment of an amount up to £17,500,000, or 4% of an undertaking’s total 


annual worldwide turnover whichever is the higher. 


Right of Appeal 


30. 


By virtue of section 162(1)(c) DPA, there is a right of appeal against this Notice 
to the First-tier Tribunal (Information Rights). Information about your right of 


appeal is set out in the attached Annex 2. 


Dated the 14 February 2022. 


Andrew Laing 

Head of Public Advice and Data Protection Complaints 
Wycliffe House 

Water Lane 

Wilmslow 

Cheshire 

SK9 5AF 
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ANNEX 1 


TERMS OF THE ENFORCEMENT NOTICE 


THIS NOTICE REQUIRES THE CONTROLLER TO TAKE THE FOLLOWING 
STEPS: 


1) By no later than 16 March 2022, to have informed the individuals referred to 
at paragraph 9 and 18, who have made a subject access requests, whether or 
not Smith, Law & Shepherd IFA Ltd is processing personal data concerning 
these individuals, and if so provide these individuals with a copy of their data, 
subject only to the proper application of any exemption from, or restriction or 
adaptation of, the right of subject access provided for in or by virtue of the UK 
GDPR or DPA. 
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ANNEX 2 


RIGHTS OF APPEAL AGAINST DECISIONS OF THE COMMISSIONER 


1. Section 162(1)(c) of the Data Protection Act 2018 gives any person upon 
whom an enforcement notice has been served a right of appeal to the 
First-tier Tribunal (Information Rights) (“the Tribunal”) against the 


notice. 
2. If you decide to appeal and if the Tribunal considers:- 


a) that the notice against which the appeal is brought is not in 


accordance with the law; or 


b) to the extent that the notice involved an exercise of discretion 
by the Commissioner, that he ought to have exercised his 


discretion differently, 


the Tribunal will allow the appeal or substitute such other decision as 
could have been made by the Commissioner. In any other case the 


Tribunal will dismiss the appeal. 


3. If an appeal is brought, this Notice need not be complied with pending 
determination or withdrawal of that appeal. Information about the 


appeals process may be obtained from: 


General Regulatory Chamber 
HM Courts & Tribunals Service 
PO Box 9300 

Leicester 

LE1 8DJ 13 
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Telephone: 0300 123 4504 


Email: grc@justice.gov.uk 


. Any Notice of Appeal should be served on the Tribunal within 28 calendar 


days of the date on which this Notice is sent. 


. The statutory provisions concerning appeals to the First-tier Tribunal 
(General Regulatory Chamber) are contained in sections 162 and 163 of 
the Data Protection Act 2018, and the Tribunal Procedure (First-tier 
Tribunal) (General Regulatory Chamber) Rules 2009 (Statutory 
Instrument 2009 No.1976 (L.20)). 


